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= KPls: Key Performance Indicators 
e Quantify performance 
e Important, but not enough for safety 
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= SPls: Safety Performance Indicators ee | | 
; » _httpe Mort geigorteemzd. 
e Quantify safety 
e Leading vs. Lagging SPlIs 
e Safety case validity SPls 
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Key Performance Indicator (KPI) 


m= KPI: 
e Quantifiable measurement 
e Used to gauge statistical performance 


= KPI examples: 
e Percent correctly identified pedestrians 
e Miles between SDC self-disengagements 
e Miles between uncomfortable braking 
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= KPls can measure SDC progress 
e Metrics should improve over time 
e But — KPIs are wrong approach for safety 





° ° Carnegie 
Six Sigma Isn't Enough for Safety i, 
= KPls help with quality 
e Are all functions working? 
e Is the functionality improving? 
e Is the fault rate decreasing? 





= Good KPIs are only the start 
e Six Sigma Quality: 99.99966% (five nines) 
— A good start; not enough for life critical functions 
e Fatal Crash Avoidance: 99.9999999996% (eleven nines) 
— Safety is 1 million times more demanding! = 8.34 sigma 
» (example: 1000 opportunities/mile, 250M miles/fatal crash, 1.50 shift) 
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Functionality vs. Safety 


= Functionality (KPIs): 
e Are all the features implemented? 
e Does each feature work as intended? Som ce. 
e Are all scenarios accounted for? 7 gs oka ae 
e Does the product do what it is supposed to? i 








 — 





= Safety: 
e Are there dangerous mis-behaviors? 
e Are there dangerous gaps in the Operational Design Domain? 
e Are there dangerous gaps in fault responses? 
e Are there dangerous defects in requirements, design, repair, etc.? 
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Safety Performance Indicator (SPI) 
m SPI: 
e Quantifiable measurement \\\ | My 
e Used to gauge safety \\\ / ‘Ly 
~~ 7, 


e Typically: 
arrival rate of adverse events — 

compared to a risk budget = 
== 










= Lagging SPI metrics: 
(per hour is implied) 
e Loss events (crashes) per hour 
e Incidents (could have been a loss event) 
— Example: running a red light, driving wrong direction for lane oo 


° Carnegie 
Leading SPls eh 
= System Level Leading SPls: 
e Road test incidents caught by safety driver 
e Simulator (SIL/HIL) incidents 
= Subsystem Leading SPIs: 
e Vehicle Controls: compromised vehicle stability 
e Path Planning: insufficient clearance to object 
e Perception: false negative (non-detection) 
e Prediction: unexpected object behavior 
= Lifecycle SPls: 
e Maintenance errors 
e Invalid configuration installed 
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Safety Case University 
m System is safe because ... 
CLAIM 
e Explanation of why ota 


e Evidence supporting explanation ae 
ARGUMENT 1 


e Assumptions 

= Ex.: SDC misses pedestrians because... 
e Pedestrians are detected with 3 sensor types 
e Pedestrian intent is predicted accurately 
e Path planning leaves buffer zone around them 


= SPlIs help detect violations of the safety case 
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SPlIs and the Safety Case Nilo 
=m SPls also measure safety case assumptions 
e ODD matches the Operational Domain 
e Validation predicts operational performance 
e Maintenance performed as required 
e Correct configuration installed in vehicle 


= Example Safety Case-related SPls: 
e Appearance of assumed rare objects and events 
e Correlated diverse sensor detection faults = fe 
e Safety related maintenance error ee 
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KPI vs. SPI Contrast University 


= Distance to object: 
e KPI: average and 95" percentile clearance 
e SPI: how often SDC violates safe clearance limit 
= Sensor effectiveness: 
e KPI: detection rate, SNR per sensor 
e SPI: concurrent multi-sensor detection failure 
e SPI: loss of calibration 
= Pedestrian perception: 
e KPI: accuracy, precision, recall 
e SPI: false negative for more than <k> consecutive frames 
e SPI: previously unknown type of pedestrian encountered 
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SPlis and the Deployment Decision Ase Phy 





= KPls can predict if your SDC will “work” 
e SOTIF analysis resolves many outliers 


= SPls can predict if it will work safely 
e System level SPlis from simulation & testing & t 
— At system level, an outlier could be fatal | 
e Subsystem SPls 
— Control, planning, prediction, perception performance SPIs 
— Ability of system to detect and respond to exiting ODD 
e Safety case SPls 
- Arrival rate of “surprises” / unknown unknowns during testing 
— Arrival rate of gaps in safety case being discovered 
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Conclusions peel 
= SPls predict and monitor system safety 
e KPls: “how well do we drive’ 
e SPls: “how often are we potentially unsafe” 


= Different flavors of SPls 
e Lagging (e.g., crash rates) 
e Leading (e.g., simulator collisions, testing incidents) 
e Safety case SPlIs (how often is safety case invalid) 





= Do you have SPI coverage for your system? 
e Extend SOTIF analysis beyond KPIs to include SPlIs 
e See ANSI/UL 4600 Chapter 16 on SPls 
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